[Resource Topic] 2022/812: Secret Can Be Public: Low-Memory AEAD Mode for High-Order Masking

Welcome to the resource topic for 2022/812

Secret Can Be Public: Low-Memory AEAD Mode for High-Order Masking

Authors: Yusuke Naito, Yu Sasaki, and Takeshi Sugawara


We propose a new AEAD mode of operation for an efficient countermeasure against side-channel attacks. Our mode achieves the smallest memory with high-order masking, by minimizing the states that are duplicated in masking. An s-bit key-dependent state is necessary for achieving s-bit security, and the conventional schemes always protect the entire s bits with masking. We reduce the protected state size by introducing an unprotected state in the key-dependent state: we protect only a half and give another half to a side-channel adversary. Ensuring independence between the unprotected and protected states is the key technical challenge since mixing these states reveals the protected state to the adversary. We propose a new mode \mathsf{HOMA} that achieves s-bit security using a tweakable block cipher with the s/2-bit block size. We also propose a new primitive for instantiating \mathsf{HOMA} with s=128 by extending the SKINNY tweakable block cipher to a 64-bit plaintext block, a 128-bit key, and a (256+3)-bit tweak. We make hardware performance evaluation by implementing \mathsf{HOMA} with high-order masking for d \le 5. For any d > 0, \mathsf{HOMA} outperforms the current state-of-the-art \mathsf{PFB\_Plus} by reducing the circuit area larger than that of the entire S-box.

ePrint: https://eprint.iacr.org/2022/812

Talk: https://www.youtube.com/watch?v=Ond_U43e8B8

Slides: https://iacr.org/submit/files/slides/2022/crypto/crypto2022/65/slides.pdf

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .